python.django.security.injection.command.command-injection-os-system.command-injection-os-system

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
180,629
Download Count*

Request data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the 'subprocess' module instead and pass the arguments as a list. See https://owasp.org/www-community/attacks/Command_Injection for more information.

Run Locally

Run in CI

Defintion

rules:
  - id: command-injection-os-system
    message: Request data detected in os.system. This could be vulnerable to a
      command injection and should be avoided. If this must be done, use the
      'subprocess' module instead and pass the arguments as a list. See
      https://owasp.org/www-community/attacks/Command_Injection for more
      information.
    metadata:
      cwe: "CWE-78: Improper Neutralization of Special Elements used in an OS Command
        ('OS Command Injection')"
      owasp: "A1: Injection"
      references:
        - https://owasp.org/www-community/attacks/Command_Injection
      category: security
      technology:
        - django
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - python
    severity: ERROR
    patterns:
      - pattern-inside: |
          def $FUNC(...):
            ...
      - pattern-either:
          - pattern: os.system(..., request.$W.get(...), ...)
          - pattern: os.system(..., $S.format(..., request.$W.get(...), ...), ...)
          - pattern: os.system(..., $S % request.$W.get(...), ...)
          - pattern: os.system(..., f"...{request.$W.get(...)}...", ...)
          - pattern: |
              $DATA = request.$W.get(...)
              ...
              os.system(..., $DATA, ...)
          - pattern: |
              $DATA = request.$W.get(...)
              ...
              $INTERM = $DATA
              ...
              os.system(..., $INTERM, ...)
          - pattern: |
              $DATA = request.$W.get(...)
              ...
              os.system(..., $STR.format(..., $DATA, ...), ...)
          - pattern: |
              $DATA = request.$W.get(...)
              ...
              $INTERM = $STR.format(..., $DATA, ...)
              ...
              os.system(..., $INTERM, ...)
          - pattern: |
              $DATA = request.$W.get(...)
              ...
              os.system(..., $STR % $DATA, ...)
          - pattern: |
              $DATA = request.$W.get(...)
              ...
              $INTERM = $STR % $DATA
              ...
              os.system(..., $INTERM, ...)
          - pattern: |
              $DATA = request.$W.get(...)
              ...
              os.system(..., f"...{$DATA}...", ...)
          - pattern: |
              $DATA = request.$W.get(...)
              ...
              $INTERM = f"...{$DATA}..."
              ...
              os.system(..., $INTERM, ...)
          - pattern: |
              $DATA = request.$W.get(...)
              ...
              os.system(..., $STR + $DATA, ...)
          - pattern: |
              $DATA = request.$W.get(...)
              ...
              $INTERM = $STR + $DATA
              ...
              os.system(..., $INTERM, ...)
          - pattern: $A = os.system(..., request.$W.get(...), ...)
          - pattern: $A = os.system(..., $S.format(..., request.$W.get(...), ...), ...)
          - pattern: $A = os.system(..., $S % request.$W.get(...), ...)
          - pattern: $A = os.system(..., f"...{request.$W.get(...)}...", ...)
          - pattern: return os.system(..., request.$W.get(...), ...)
          - pattern: return os.system(..., $S.format(..., request.$W.get(...), ...), ...)
          - pattern: return os.system(..., $S % request.$W.get(...), ...)
          - pattern: return os.system(..., f"...{request.$W.get(...)}...", ...)
          - pattern: os.system(..., request.$W(...), ...)
          - pattern: os.system(..., $S.format(..., request.$W(...), ...), ...)
          - pattern: os.system(..., $S % request.$W(...), ...)
          - pattern: os.system(..., f"...{request.$W(...)}...", ...)
          - pattern: |
              $DATA = request.$W(...)
              ...
              os.system(..., $DATA, ...)
          - pattern: |
              $DATA = request.$W(...)
              ...
              $INTERM = $DATA
              ...
              os.system(..., $INTERM, ...)
          - pattern: |
              $DATA = request.$W(...)
              ...
              os.system(..., $STR.format(..., $DATA, ...), ...)
          - pattern: |
              $DATA = request.$W(...)
              ...
              $INTERM = $STR.format(..., $DATA, ...)
              ...
              os.system(..., $INTERM, ...)
          - pattern: |
              $DATA = request.$W(...)
              ...
              os.system(..., $STR % $DATA, ...)
          - pattern: |
              $DATA = request.$W(...)
              ...
              $INTERM = $STR % $DATA
              ...
              os.system(..., $INTERM, ...)
          - pattern: |
              $DATA = request.$W(...)
              ...
              os.system(..., f"...{$DATA}...", ...)
          - pattern: |
              $DATA = request.$W(...)
              ...
              $INTERM = f"...{$DATA}..."
              ...
              os.system(..., $INTERM, ...)
          - pattern: |
              $DATA = request.$W(...)
              ...
              os.system(..., $STR + $DATA, ...)
          - pattern: |
              $DATA = request.$W(...)
              ...
              $INTERM = $STR + $DATA
              ...
              os.system(..., $INTERM, ...)
          - pattern: $A = os.system(..., request.$W(...), ...)
          - pattern: $A = os.system(..., $S.format(..., request.$W(...), ...), ...)
          - pattern: $A = os.system(..., $S % request.$W(...), ...)
          - pattern: $A = os.system(..., f"...{request.$W(...)}...", ...)
          - pattern: return os.system(..., request.$W(...), ...)
          - pattern: return os.system(..., $S.format(..., request.$W(...), ...), ...)
          - pattern: return os.system(..., $S % request.$W(...), ...)
          - pattern: return os.system(..., f"...{request.$W(...)}...", ...)
          - pattern: os.system(..., request.$W[...], ...)
          - pattern: os.system(..., $S.format(..., request.$W[...], ...), ...)
          - pattern: os.system(..., $S % request.$W[...], ...)
          - pattern: os.system(..., f"...{request.$W[...]}...", ...)
          - pattern: |
              $DATA = request.$W[...]
              ...
              os.system(..., $DATA, ...)
          - pattern: |
              $DATA = request.$W[...]
              ...
              $INTERM = $DATA
              ...
              os.system(..., $INTERM, ...)
          - pattern: |
              $DATA = request.$W[...]
              ...
              os.system(..., $STR.format(..., $DATA, ...), ...)
          - pattern: |
              $DATA = request.$W[...]
              ...
              $INTERM = $STR.format(..., $DATA, ...)
              ...
              os.system(..., $INTERM, ...)
          - pattern: |
              $DATA = request.$W[...]
              ...
              os.system(..., $STR % $DATA, ...)
          - pattern: |
              $DATA = request.$W[...]
              ...
              $INTERM = $STR % $DATA
              ...
              os.system(..., $INTERM, ...)
          - pattern: |
              $DATA = request.$W[...]
              ...
              os.system(..., f"...{$DATA}...", ...)
          - pattern: |
              $DATA = request.$W[...]
              ...
              $INTERM = f"...{$DATA}..."
              ...
              os.system(..., $INTERM, ...)
          - pattern: |
              $DATA = request.$W[...]
              ...
              os.system(..., $STR + $DATA, ...)
          - pattern: |
              $DATA = request.$W[...]
              ...
              $INTERM = $STR + $DATA
              ...
              os.system(..., $INTERM, ...)
          - pattern: $A = os.system(..., request.$W[...], ...)
          - pattern: $A = os.system(..., $S.format(..., request.$W[...], ...), ...)
          - pattern: $A = os.system(..., $S % request.$W[...], ...)
          - pattern: $A = os.system(..., f"...{request.$W[...]}...", ...)
          - pattern: return os.system(..., request.$W[...], ...)
          - pattern: return os.system(..., $S.format(..., request.$W[...], ...), ...)
          - pattern: return os.system(..., $S % request.$W[...], ...)
          - pattern: return os.system(..., f"...{request.$W[...]}...", ...)
          - pattern: os.system(..., request.$W, ...)
          - pattern: os.system(..., $S.format(..., request.$W, ...), ...)
          - pattern: os.system(..., $S % request.$W, ...)
          - pattern: os.system(..., f"...{request.$W}...", ...)
          - pattern: |
              $DATA = request.$W
              ...
              os.system(..., $DATA, ...)
          - pattern: |
              $DATA = request.$W
              ...
              $INTERM = $DATA
              ...
              os.system(..., $INTERM, ...)
          - pattern: |
              $DATA = request.$W
              ...
              os.system(..., $STR.format(..., $DATA, ...), ...)
          - pattern: |
              $DATA = request.$W
              ...
              $INTERM = $STR.format(..., $DATA, ...)
              ...
              os.system(..., $INTERM, ...)
          - pattern: |
              $DATA = request.$W
              ...
              os.system(..., $STR % $DATA, ...)
          - pattern: |
              $DATA = request.$W
              ...
              $INTERM = $STR % $DATA
              ...
              os.system(..., $INTERM, ...)
          - pattern: |
              $DATA = request.$W
              ...
              os.system(..., f"...{$DATA}...", ...)
          - pattern: |
              $DATA = request.$W
              ...
              $INTERM = f"...{$DATA}..."
              ...
              os.system(..., $INTERM, ...)
          - pattern: |
              $DATA = request.$W
              ...
              os.system(..., $STR + $DATA, ...)
          - pattern: |
              $DATA = request.$W
              ...
              $INTERM = $STR + $DATA
              ...
              os.system(..., $INTERM, ...)
          - pattern: $A = os.system(..., request.$W, ...)
          - pattern: $A = os.system(..., $S.format(..., request.$W, ...), ...)
          - pattern: $A = os.system(..., $S % request.$W, ...)
          - pattern: $A = os.system(..., f"...{request.$W}...", ...)
          - pattern: return os.system(..., request.$W, ...)
          - pattern: return os.system(..., $S.format(..., request.$W, ...), ...)
          - pattern: return os.system(..., $S % request.$W, ...)
          - pattern: return os.system(..., f"...{request.$W}...", ...)

Examples

command-injection-os-system.py

import os

def danger(request):
    # ruleid: command-injection-os-system
    url = request.GET['url']
    os.system('wget ' + url)

def danger2(request):
    # ruleid: command-injection-os-system
    image = request.POST['image']
    os.system("./face-recognize %s --N 24" % image)

def danger3(request):
    # ruleid: command-injection-os-system
    url = request.GET['url']
    os.system("nslookup " + url)

def ok(request):
    # ok: command-injection-os-system
    url = request.GET['url']
    os.system("echo 'hello'")